Assimilate MCP
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could change active Assimilate projects, import media, alter grades, or start renders.
The skill intentionally exposes broad controls, including project mutation, color changes, rendering, outputs, and media directory discovery.
Complete 1:1 integration ... with 88 tools across 14 categories ... `create_project` ... `set_grade` ... `start_render` ... `list_directory` `find_media`
Use this only when you want AI-assisted control of Assimilate, and require explicit confirmation before create, set, import, output, or render actions.
You must trust the npm package and its maintainers, because this review cannot verify the code that will actually run.
The configured MCP server runs an npm package through npx, while the supplied review artifacts include no package source code.
"command": "npx", "args": ["-y", "assimilate-mcp"]
Inspect the npm/GitHub package, pin a trusted version where possible, and install only from the expected publisher.
Anyone or anything with the configured key and network access to the API may be able to control the target Assimilate instance.
The skill may use an Assimilate authorization key to control the REST API, which is expected for this integration but grants delegated control.
`--key` | `ASSIMILATE_KEY` | — | Authorization key |
Keep the key private, avoid placing it in shared configs, and use the narrowest access supported by Assimilate.
A misconfigured host, port, or tunnel could expose the Assimilate control API beyond the intended local machine.
The skill communicates with a local or tunneled HTTP API, so the network boundary determines who can reach the controlled Assimilate service.
Live FX HTTP server enabled ... default port 8080 ... For remote machines, use an SSH tunnel
Keep the API bound to localhost when possible, use SSH tunnels only to trusted hosts, and protect the port with firewalling and authentication.